GPO an dLoopback

  • Thread starter Thread starter JPM
  • Start date Start date
J

JPM

I use a windows 2003 server, this server is DC and Terminal server.
I like to setup some GPO for the termainal users, but the GPO is not
allowed to change the local settings of the users computer/laptop

I read that I can use a Loopback policy, but I dont know how.
there is a post somewhere that uses a difrent terminal server and a
DC, can I still use the loopback with one server ?

is there a manual how to setup GPO and Loopback Policy's

please help

JPM
 
thnxs.

The GPO is not the problem, the thing I realy want to know is the loopback policy.
how do I setup A loopback policy and how do enable it
in the link the say just to enable it, is that all ?

JPM
 
JPM,

I think that the link explains it pretty well. What exactly do you not
understand?

Cary


JPM said:
thnxs.

The GPO is not the problem, the thing I realy want to know is the loopback policy.
how do I setup A loopback policy and how do enable it
in the link the say just to enable it, is that all ?

JPM


"Cary Shultz [A.D. MVP]" <[email protected]> wrote in message
JPM,

Please take a look at the following MSKB Article:

http://support.microsoft.com/?id=278295

Please note that this is specifically for WIN2000 but the concept is the
same.

HTH,

Cary
 
JPM,

I think that it might be a good idea to explain it in these terms. You
create an Organizational Unit. You place the computer account object in
that Organizational Unit. If I read your original post correctly, this
server that is running TS is also a Domain Controller. That just makes
things a bit more interesting. Not sure how it works with WIN2003 but in
WIN2000 you can actually move a Domain Controller out of its original OU (
the default 'Domain Controllers' OU ) and not have to worry about losing any
of the other policies ( like the Domain Controller Secuirty Policy ).
However, I am not sure that I would want to start doing this!

You would then create a Loopback policy in (probably) replace mode. The
other choice is merge mode. You probably do not want that one in this case.
But, the key word is *probably*.

What this does is to change the way that GPOs are processed. Remember that
the pecking order is ALWAYS local, Site, Domain, OU, sub-OU. That is not
changed! Furthermore, remember that the computer-side configuration is run
at start-up and then the user-side configuration is run at logon.

Under normal conditions GPOs are processes in the following order: At
computer start up any local computer GPO is processed, then any
computer-side configuration Site GPOs are processed, then any computer-side
configuration Domain GPOs are processed and then any computer-side OU GPOs
are processed. Then, the user is presented with the logon box and enters
his/her credentials. At that moment, any local user-side GPO is processed,
followed by user-side configuration Site GPOs , followed by any user-side
configuration Domain GPOs and finally any user-side configuration OU GPOs.
Now, how do we know what GPOs are going to be applied? Well, the GPOs that
are in place / linked to the OU where the computer account object is located
and the GPOs that are in place / linked to the OU where the user account
object is located are what apply - generally speaking. There are the two
'default' policies that apply to all out of the box.

That would be the normal flow.

However, with the loopback GPO in replace mode what happens is that the GPO
that is linked to the OU which contains the computer account object is
applied and the GPO that is linked to the OU which contains the user account
object is ignored.

So, let's create a fast example:

You have a default, out-of-the-box set up with one exception. You want to
create a more locked down TS environment. You have two Domain Controllers
and one Member Server which runs TS. The two DCs ( named DC01 and DC02 )
are located in the default 'Domain Controllers' OU. The member server (
named citrix01 ) is located in the default 'Computers' container.
Furthermore, all of your user account objects are kept in an OU called
'employees' ( and not in the default 'Users' container - this is the
exception ). You have linked several GPOs to this OU ( Office XP, Adobe
Acrobat Reader 6.0.1, etc. etc. etc. ) so that all of your users have the
same apps and so that these apps follow the user should he/she not log on to
his/her 'normal' computer.

You would created an OU ( call it CITRIX or whatever ) and then move
citrix01 to that OU. You would then create the GPO linked to the OU CITRIX
following the MSKB Article. In this GPO you are going to create both
computer-side and user-side items - as per the MSKB Article. I would also
suggest that you play with this and use this as a good starting point. You
might have a need to not include everything while adding others. However,
for this example let's just assume that you follow this MSKB Article to the
letter.

When your users log on to a computer they are going to have everything that
they would normally. The computer account object that they use to logon on
is located in the default 'Computers' container. Whatever GPOs apply to
those computer accounts will be applied ( this is generally the Default
Domain Policy ). Then, whatever GPOs are linked to the OU which contains
his/her user account object will be applied ( from the user-side GPOs they
will have Office XP and Adobe Acrobat Reader and everything else. This is
because their user account object is subject to the GPOs that you linked to
the 'employees' OU ) and the normal flow is in effect.

In Loopback replace mode the only GPO that is applied is the GPO that you
link to the OU that contains the computer account object. Any GPOs linked
to the OU in which the user account object resides is ignored.

Does this help you?

If not, please let us know and I will do my best to clarify.

Cary



Cary Shultz said:
JPM,

I think that the link explains it pretty well. What exactly do you not
understand?

Cary


JPM said:
thnxs.

The GPO is not the problem, the thing I realy want to know is the
loopback
policy.
how do I setup A loopback policy and how do enable it
in the link the say just to enable it, is that all ?

JPM


"Cary Shultz [A.D. MVP]" <[email protected]> wrote in message
JPM,

Please take a look at the following MSKB Article:

http://support.microsoft.com/?id=278295

Please note that this is specifically for WIN2000 but the concept is the
same.

HTH,

Cary

I use a windows 2003 server, this server is DC and Terminal server.
I like to setup some GPO for the termainal users, but the GPO is not
allowed to change the local settings of the users computer/laptop

I read that I can use a Loopback policy, but I dont know how.
there is a post somewhere that uses a difrent terminal server and a
DC, can I still use the loopback with one server ?

is there a manual how to setup GPO and Loopback Policy's

please help

JPM
 
Back
Top